From 0ee9848231d0a7a02fdc8e915d830ebaf6cc09c0 Mon Sep 17 00:00:00 2001
From: Kevin Decherf <kevin@kdecherf.com>
Date: Sat, 29 Dec 2018 19:43:07 +0100
Subject: [PATCH] TagRestController: add tests to ensure that other user's tags
 are unreachable

Signed-off-by: Kevin Decherf <kevin@kdecherf.com>
---
 .../Controller/TagRestControllerTest.php      | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
index 430e548d..8f1e6f02 100644
--- a/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
+++ b/tests/Wallabag/ApiBundle/Controller/TagRestControllerTest.php
@@ -7,6 +7,8 @@ use Wallabag\CoreBundle\Entity\Tag;
 
 class TagRestControllerTest extends WallabagApiTestCase
 {
+    private $otherUserTagLabel = 'bob';
+
     public function testGetUserTags()
     {
         $this->client->request('GET', '/api/tags.json');
@@ -19,6 +21,12 @@ class TagRestControllerTest extends WallabagApiTestCase
         $this->assertArrayHasKey('id', $content[0]);
         $this->assertArrayHasKey('label', $content[0]);
 
+        $tagLabels = array_map(function ($i) {
+            return $i['label'];
+        }, $content);
+
+        $this->assertNotContains($this->otherUserTagLabel, $tagLabels, 'There is a possible tag leak');
+
         return end($content);
     }
 
@@ -53,6 +61,16 @@ class TagRestControllerTest extends WallabagApiTestCase
         $this->assertNull($tag, $tagLabel . ' was removed because it begun an orphan tag');
     }
 
+    public function testDeleteOtherUserTag()
+    {
+        $em = $this->client->getContainer()->get('doctrine.orm.entity_manager');
+        $tag = $em->getRepository('WallabagCoreBundle:Tag')->findOneByLabel($this->otherUserTagLabel);
+
+        $this->client->request('DELETE', '/api/tags/' . $tag->getId() . '.json');
+
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
+
     public function dataForDeletingTagByLabel()
     {
         return [
@@ -112,6 +130,13 @@ class TagRestControllerTest extends WallabagApiTestCase
         $this->assertSame(404, $this->client->getResponse()->getStatusCode());
     }
 
+    public function testDeleteTagByLabelOtherUser()
+    {
+        $this->client->request('DELETE', '/api/tag/label.json', ['tag' => $this->otherUserTagLabel]);
+
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
+
     /**
      * @dataProvider dataForDeletingTagByLabel
      */
@@ -180,4 +205,11 @@ class TagRestControllerTest extends WallabagApiTestCase
 
         $this->assertSame(404, $this->client->getResponse()->getStatusCode());
     }
+
+    public function testDeleteTagsByLabelOtherUser()
+    {
+        $this->client->request('DELETE', '/api/tags/label.json', ['tags' => $this->otherUserTagLabel]);
+
+        $this->assertSame(404, $this->client->getResponse()->getStatusCode());
+    }
 }
-- 
2.41.0